Nginx prohibits IP access and only allows domain name access, and Nginx anti-leech settings
1. Nginx prohibits IP access and only allows domain name access
1.1 Background and purpose
When we use it, we will encounter a lot of malicious IP attacks. At this time, we will use Nginx to prohibit IP access. Today, we will set on Nginx to prohibit access to the server through IP, only through domain name. This is to prevent others from resolving the unregistered domain name to their own server IP and causing the server to be disconnected from the network.
1.2 Setting method
Next, let's take a look at the default virtual host of Nginx, which takes effect when the user accesses through an IP or an unset domain name (for example, someone points his own domain name to your ip). The most important point is that the settings serverin Add this line inside:
listen 80 default;
The following default parameter indicates that this is the default virtual host.
Nginx prohibits IP access This setting is very useful.
For example, when someone visits your website through an ip or an unknown domain name, you want to prohibit any valid content from being displayed, and you can return him 500 or 403. At present, many computer rooms in China require website owners to close the empty host header to prevent unregistered domain names from pointing to them. Create trouble. You can set it like this:
Modify the nginx.conf file as follows:
server {
listen 80 default;
return 403;
}
Here is a 403 error will be returned when receiving ip access or non-specified domain name access.
You can also collect these traffic and import it to your own website, just do the following jump settings:
server {
listen 80 default;
rewrite ^(.*) http://www.youdomain.com permanent;
}
Two, Nginx anti-leech settings
2.1 Background and purpose
Hotlinking is ubiquitous in today's Internet world. Stealing images, videos, articles, etc., is obtained by obtaining the url addresses of pictures, videos, articles, etc. from regular websites, and directly putting them on your own website for use without authorization. . Stealing resources is a common method for the black industry to obtain the highest benefits at the lowest cost. For example, the author recently considered buying a house, and there are real house plans and VR on the shell website. Some real estate agents will directly steal real house plans on Beike.com to cheat clicks. Therefore, for any large-scale website, it is very important to take anti-theft measures to avoid damage to its own interests. When Nginx proxies such static resources (pictures, videos, articles, etc.), it can realize the function of anti-theft connection through configuration.
2.2 How to prevent hotlinking?
As mentioned earlier, hotlinking is to directly use official websites to save URLs of pictures, videos, etc. to obtain corresponding resources. The simplest anti-theft idea is to verify the legitimacy of the request based on some key information carried by the client when requesting resources, such as the client IP and the request URL. refererIf it is illegal, the request will be rejected directly. In addition, since these basic information can be forged, such basic means are not necessarily safe. In addition, there are other anti-theft methods such as login authentication and the use of cookies. In addition, for specific scenarios, such as live streaming, there are more advanced anti-theft methods, including timestamp anti-leech, swf anti-leech, back-to-source authentication anti-leech, etc.
2.3 refer module anti-theft
The module used by Nginx to realize the anti-leech function is refera module. The principle is: if the website steals your picture, when the user clicks or views the content of the hotlink, the referer field in the header of the http request will be The url of the pirated website. In this way, by obtaining the header information, we know the page that http initiates the request, and then judge whether the address is our legal page, or not, it is judged as hotlinking. '
A simple Nginx anti-leech configuration is as follows:
server {
listen 80;
server_name youdomain.com;
valid_referers none blocked *.youdomain.org www.youdomain.com/nginx server_names ~\.baidu\.;
if ($invalid_referer) {
return 499;
}
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
none: Allowrefereraccess to requests with missing headersblocked:There isrefererthis field, but its value is deleted by the firewall or proxyserver_names: Ifrefererthe site domain name in andserver_namesa domain name in match, access is allowed- any character or regular expression
Nginx will match by looking at the referer field and the referer list behind valid_referers. If it matches, it will set the value of the built-in variable $invalid_referer to 0, otherwise set the value to 1
2.4 secure_link module anti-theft
The previous refereranti-theft link method of simply checking the header value is too fragile, and pirates can easily skip anti-theft measures by forging the referer value. There is a more advanced anti-theft method in Nginx, which is based on secure_linkthe module, which can check the authority of the requested link and whether it has expired, and is mostly used for anti-leeching on the download server. This module is not compiled into Nginx by default, and needs to be added during source code compilation --with-secure_link_module.
This module prevents hotlinking by verifying the hash value in the URL. Its anti-theft process is as follows:
- A secure encrypted URL is generated by the server or Nginx and returned to the client;
- The client uses a secure URL to access Nginx to obtain resources such as pictures, and the Nginx
secure_linkvariable determines whether the verification is passed;
Through configuration secure_linkand secure_link_md5instructions, the function of checking and judging the authority and expiration of the link can be realized.
Like the variables refererin the module $invalid_referer, secure_linkthe module also uses the built-in variable KaTeX parse error: Expected 'EOF', got 'judgment' at position 14: secure_linkto judge whether the verification is passed. The value of secure_link has the following three situations:
- Empty string: validation failed
- 0: URL expired
- 1: Verification passed
Use secure_link_md5the command to generate valid URLs. For example:
secure_link_md5 "$secure_link_expires$uri$remote_addr secret";
If the above configuration is in Nginx secure_link_md5, then the command to generate a valid url is as follows:
# 2023-04-19 17:00:00 转换成时间戳为1681894800
echo -n '1681894800/test.png127.0.0.1 secret' | \
openssl md5 -binary | openssl base64 | tr +/ -_ | tr -d =
Through the above command, we get a md5value: cPnjBG9bAZvY_jbPOj13mA, which is very important. Next, construct the URL associated with the command secure_link. If secure_linkthe configuration of the directive is as follows:
secure_link $arg_md5,$arg_expires;
Then the url of our request must include md5 and expires parameters, for example:
http://192.168.1.10:9008/test.png?md5=cPnjBG9bAZvY_jbPOj13mA&expires=1681894800
An example of validation configuration in Nginx is as follows:
location ~* .(gif|jpg|png|swf|flv|mp4)$ {
secure_link $arg_md5,$arg_expires;
secure_link_md5 "$secure_link_expires$uri$remote_addr secret";
# 空字符串,校验不通过
if ($secure_link = "") {
return 403;
}
# 时间过期
if ($secure_link = "0") {
return 410 "URL过期,请重新生成";
}
root /root/test;
}
2.5 Summary
The general Nginx anti-leeching method uses the referer field to determine the source of the request, so as to determine whether the request is legal. However, this field is easy to forge, so this method is rarely used to implement the anti-theft function. The Nginx secure_linkmodule mainly uses the hash algorithm encryption method, which is generally used to download pictures and videos, and generate download URLs, which has high security. In addition, we can also use some third-party modules to enhance the anti-theft link function of Nginx. For example, the commonly used third-party module ngx_http_accesskey_module can be used to realize the anti-theft function of file downloads.